Protecting railway cyber-security today, tomorrow and for the future

The digital transformation of our railways – whether that is infrastructure assets, signalling or rolling stock – is continuing at a significant pace. Through the digitalisation of components, cyber-security now becomes a key consideration, as any attack that targets rail could have severe safety implications. Unlike our traditional Information Technology (IT) systems, railway assets fall under the category of ‘Operational Technology’ (OT) systems, where the requirements we place on these systems are very different.

IT and OT

There are several key differences between IT and OT systems that exist, which also apply to our railway sector. When we design, procure and maintain assets, their operational lifespans are measured in the order of decades, not the few years that IT assets are typically deployed for. This means that we have to not only protect our assets from adversaries capable of attacking our systems today, but also those who gain capabilities as time passes. A good example is public-key cryptography. This is what is commonly deployed to protect and assure information in transit between two systems – we use it anytime we visit a secure website where it proves that it’s genuine and that data I send, for example, to my bank, cannot be intercepted and read by anyone else. Public-key cryptography depends on the difficulty to factorise a very large number. However, when we are in a ‘post-quantum’ world, this is possible. Significant efforts by industry and academia are working on solutions in this area.

Another difference is that asset owners, whether they are an infrastructure manager or rolling stock owner, will receive typically ‘closed-source’ systems, where we rely on certification and assurance by the vendor and supply chain. The European Union Network and Information Systems (NIS) Directive aims to develop a cyber-secure culture within essential services, and places responsibility on the asset owner to assure and affirm the cyber-security of their assets. In many EU member states, the rail sector is deemed an ‘essential service’, where we must be confident in the cyber-security of our assets.

Cyber-security in rail

In the rail sector, we have seen cyber-security developed into standards – e.g. the European Rail Traffic Management System (ERTMS) – which is a significant step in the right direction, but how do we keep our assets secure? Cyber-security is a continuous process that must be reviewed over the lifecycle of the asset. Unlike safety assurance, where, if we don’t fundamentally change our asset, the safety case holds, cyber-security is a changing dynamic. We must, therefore, be prepared to continuously review design and implementation decisions on a regular basis to ensure that our assets remain secure. As we continue to have highly digitalised fleets and infrastructure assets, this is a challenge that will only continue to arise.

Before we delve into the solutions and what we must consider, it’s important to review the lifecycle of an asset, from design to implementation, deployment and then retirement. When we design and develop our systems and assets, we are typically constrained by the hardware available at the time, which means that we must make decisions to provide optimal security whilst not impacting performance. As time passes, though, these barriers are eliminated, where we should look to implement these improvements to benefit from maximal security. As an example, in 1997, when the ERTMS standards were being developed, the cryptography used had to be carefully selected due to hardware limitations. These hardware constraints, however, are long gone, where most computer processors now benefit from hardware implementations of AES, something which was not possible over 20 years ago. When these barriers no longer exist, we should look at implementing the best practices and solutions available at the point of design and as opportunities for improvement.

Reviewing and managing risk

When we deploy the asset into the railway environment, that’s not the end of our journey. We need to maintain it, not only for operational performance, but also to ensure that we understand the cyber-security risk to that asset and whether that position has changed – for example, if the technical capability to the adversary did not exist before, but will soon be available. I identify that the design and maintenance of an asset, from the perspective of cyber-security, is vital, but why? We firstly must get our design decisions right, as these ultimately determine the security of our deployed asset. Once deployed, we must review and manage the risk, updating our assets and adapting them to ensure cyber-security. There are questions that we can consider as a sector, both as suppliers and customers, which will allow us to develop cyber-security as a practice in the same way we have done for safety.

Given the time it takes to obtain assurance and certification for our assets, we need to consider the lead-time to deliver improvements. What isn’t vulnerable today may be in the realm of the possible for an adversary in five to 10 years. Developing solutions early accounts for this lead-time and ensures that we understand the threat landscape and can prepare for when these risks arise.

When we design these solutions, there is an excellent question of ‘where do we start?’. As previously mentioned in this article, the cyber-security of OT systems is very different to our traditional IT systems, with very different exploitations. As an example, there have been exploits which disrupt operations – such as Stuxnet and Wannacry (the operational systems were shut down to prevent the spread) – to those which purposely changed the configuration of the system (Triton). In the case of Wannacry, we saw it affecting the rail sector, from passenger information displays on platforms to engineer workstations having to be shut down to protect the safe operation of the railway. Our railway assets fall under this umbrella of industrial systems, where we can look at what has happened in the past to define our questions of what we review, resolve and develop into appropriate controls to ensure future security. These questions apply to our sector both as asset owners and internally in the supply chain to ensure that we can not only be secure by design, but also to ensure that we can continuously improve the security of deployed assets. At Birmingham, we’ve spent some time looking at the cyber-threat landscape to industrial systems, and these generally reduce to a few themes, such as: Poor access control measures; additional entry points to a system which bypasses designed-in authentication methods; poor memory management in code; weak or broken cryptography being deployed; web-based weaknesses in applications; and poor handling of input, leading to loss of availability. These allow us to ask vendors if they have ensured that these issues don’t exist, and also guides us on testing to assure the security of our infrastructures.

Building industry standards that are flexible, but secure

From these themes, we, as a sector, can ensure that our assets are secure, identifying solutions and requirements where needed but, more importantly, learning from other sectors. This, however, is implementation – what about standards? In the rail sector, we leverage standards for interoperability, cost reduction and to set our sector trajectories. If the standard doesn’t equally consider cyber-security, then the implementations could potentially be insecure. When standards are developed and updated, we should ensure that we afford enough flexibility that we can adapt and ensure that the standards use the most appropriate solutions that are available. This includes using proven, trusted building blocks, rather than developing bespoke solutions. ERTMS is a case-in point of how this flexibility enables new secure solutions to be developed into the standards and gradually rolled out through new baselines, addressing cyber-security challenges that it will have to defend against throughout its lifespan.

Finally, we also need to consider the security of our architectures – in particular, when we have different systems connected, where different standards and requirements exist in isolation. With the mix of old and new assets, we need to set a baseline of what is acceptable, define the trajectory of what ‘good’ should look like and develop continuous improvement processes to review, monitor and understand the cyber-security of the system as a whole. Cyber-security has a critical role now in the rail sector as we undergo our digital transformation. Security and safety now co-exist, where an exploited vulnerability can have a serious effect on the safety of the system. We have the opportunity as a sector to lead in developing good practice, through our standardisation efforts, and working together to define what effective cyber-security and the future looks like for our digital railway.